Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Dec 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    PHP prevent SQLi injection help

    The script doesn't work for me for some reason

    PHP Code:
    <?
    mysql_connect
    ("xxx","xxx","xxx");
    mysql_select_db("name");
    if (!isset(
    $_POST['submit'])) {
    print 
    "<form action=\"\" method=\"POST\">";
    print 
    "<input name=\"dgt\" type=\"text\">";
    print 
    "<input name=\"submit\" value=\"search\" type=\"submit\">";
    print 
    "</form>";
    } else {
    $md5 $_POST['dgt'];
    if(
    strlen($md5) != "10") {
    print 
    "Name is incorrect.";
    } else {

    $query mysql_query("SELECT * FROM md5 WHERE md5 ='$md5';");

    $string "SELECT * FROM md5 WHERE md5 ='"mysql_real_escape_string($md5) ."';"// $md5 needs to be escaped.
    $query mysql_query($string);


    while (
    $row mysql_fetch_assoc($query)) {
    if(isset(
    $row[no])) {

    print 
    "True<br />$row[name]";
    } else {
    print 
    "False.";
        }
          }
       }
    }
    ?>
    What is wrong with the script? I would also like to prevent any sql injections but I have no clue on to how to fix the vulnerability.

    Please help.

  • #2
    New to the CF scene
    Join Date
    Dec 2013
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Please disregard the above post.

    Since there is no option to edit my OP for some reason. I couldn't fix the script.

    Here is the script that i'm having problems with:

    PHP Code:
     <?
    mysql_connect
    ("xxx","xxx","xxx");
    mysql_select_db("name");
    if (!isset(
    $_POST['submit'])) {
    print 
    "<form action=\"\" method=\"POST\">";
    print 
    "<input name=\"dgt\" type=\"text\">";
    print 
    "<input name=\"submit\" value=\"search\" type=\"submit\">";
    print 
    "</form>";
    } else {
    $customer $_POST['dgt'];
    if(
    strlen($customer) != "10") {
    print 
    "Name is incorrect.";
    } else {

    $query mysql_query("SELECT * FROM name WHERE name ='$customer';");

    $string "SELECT * FROM name WHERE name ='"mysql_real_escape_string($customer) ."';";
    $query mysql_query($string);


    while (
    $row mysql_fetch_assoc($query)) {
    if(isset(
    $row[no])) {

    print 
    "True<br />$row[name]";
    } else {
    print 
    "False.";
        }
          }
       }
    }
    ?>

  • #3
    New Coder
    Join Date
    Jan 2011
    Posts
    84
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Try this maybe?

    PHP Code:
    <?

    function sanitize($s) {
        return 
    str_replace('&amp;#',"&#",str_replace('"',""",str_replace ("'","'",str_replace ("<","<",str_replace (">",">",str_replace ("%","",$s))))));
    }
    $customer = $_REQUEST['dgt'];

    mysql_connect("
    xxx","xxx","xxx");
    mysql_select_db("
    name");
    if (!isset($_POST['submit'])) {
    print "
    <form action="\" method=\"POST\">";
    print 
    "<input name=\"dgt\" type=\"text\">";
    print 
    "<input name=\"submit\" value=\"search\" type=\"submit\">";
    print 
    "</form>";
    } else {
    //$customer = $_POST['dgt'];
    if(strlen($customer) != "10") {
    print 
    "Name is incorrect.";
    } else {

    $query mysql_query("SELECT * FROM name WHERE name ='$customer';");

    $string "SELECT * FROM name WHERE name ='".sanitize($customer)."';";
    $query mysql_query($string);


    while (
    $row mysql_fetch_assoc($query)) {
    if(isset(
    $row[no])) {

    print 
    "True<br />$row[name]";
    } else {
    print 
    "False.";
        }
          }
       }
    }
    ?>


    I didnt test anything but looks ok from that end at least. You could try describing errors to us
    Last edited by embeebutterly; 12-09-2013 at 03:51 PM. Reason: PHP code tags added

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,642
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Note that mysql_ calls are deprecated and about to be removed from PHP. You should be using either mysqli_ calls or PDO instead.

    With either of the current types of database call you can use PREPARE and BIND instead of QUERY in order to keep the data separate from the SQL and so make injection impossible.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •